Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What privacy controls are in the HITRUST Common Security Framework?

The updated HITRUST Common Security Framework allows organizations to manage privacy, security and compliance with one framework. Here's how it works and what the update includes.

The Health Information Trust Alliance (HITRUST) recently updated its Common Security Framework to include privacy...

controls. This means organizations can rely on a single framework to manage privacy, security and compliance. Can you explain the updates to CFA and the benefits or drawbacks of using a single framework?

First, it is important to have a little background on the Health Information Trust Alliance (HITRUST). HITRUST is a nonprofit organization created by healthcare organizations to collaborate on security and privacy issues. It is not a regulatory body, but it assists its member organizations in complying with the many regulations governing healthcare in the United States.

The HITRUST Common Security Framework (CSF) intends to help organizations design a common set of security controls that meet varied regulatory requirements and international standards, including HIPAA, PCI DSS, COBIT, NIST and ISO. The first six versions of the framework provided a normalized mapping of security requirements to a common set of controls, easing the burden on compliance professionals seeking to reconcile various overlapping requirements.

The seventh version of the Common Security Framework, released in January 2015, added privacy controls. These controls cover three objectives:

  • Openness and transparency
  • Individual choice and participation
  • Correction

Most healthcare organizations must comply with both security and privacy regulations, and the controls for both domains often overlap. Combining these controls into a single framework allows organizations to spend less time reading regulations and focus on delivering security and privacy results.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Learn how to use compliance automation to reduce compliance risk

This was last published in July 2015

Dig Deeper on Information security policies, procedures and guidelines